Data Breach Security: Here’s Why It Needs Your Attention

How long, on average, do you think it takes a company to discover a malicious security breach?

A few hours? A few weeks?

Try almost three months, according to a global report by Ponemon Institute.

Their Post Breach Boom report published in 2013 polled over 3,500 IT and IT security professionals whose organisations had suffered at least one data breach in the past two years. The purpose was to look at how the data breaches were dealt with and how prepared organisations were to prevent them. Based on the information that was uncovered, researchers found a lot of worrisome trends in the area of information security.

Despite all the attention given to the importance of information security, over 50% of respondents agreed that data breaches had increased in both severity and frequency in the previous two years, and it appears organisations are ill prepared when it comes to detecting or resolving them. In fact, only 43% of respondents said their organisations have the tools, personnel and funding to prevent data breaches. This is in spite of general agreement that understanding the root causes of breaches helps strengthen an organisation’s security position, providing vital insights into potential loopholes and vulnerabilities.

Breaches were divided into ‘malicious’ breaches, which involve the theft of information by an external hacker or criminal insider, and ‘non malicious’ breaches, which are caused by a system error, employee negligence or a third-party. Interestingly it was found that if the root cause was the result of a malicious insider or attack the average per-record cost of the breach was significantly greater.

In situations where a malicious breach has been discovered, it takes an average of over four months to address it. In one third of cases reviewed, the data breach was detected by a third party, not the company’s business security system.

Worryingly, 83% of non-malicious breaches involved the loss of or failure to degauss or properly wipe a device containing sensitive data, and 17% involved contractors, suppliers or business partners losing sensitive data entrusted to them.

These figures are borne out by a quick glance through the list of monetary penalties handed out by the Information Commissioner’s Office for serious breaches of the Data Protection Act. It’s littered with real life examples including hard drives containing patient data found for sale on an internet auction site after supposedly being securely destroyed by a third party supplier and multiple instances of the loss/theft of unencrypted data storage devices – memory sticks, laptops, etc.

Whether malicious or not, the reasons for failing to prevent breaches in the majority of cases are cited as a lack of in-house expertise or inadequate security processes. Emphasising the need not just for proper policies and procedures, but mechanisms to make sure staff are actually trained on and follow them.

While all breaches cost companies a lot of money, they also damage reputation, brand value and image and result in lost time and productivity.